4 research outputs found
The x86isa Books: Features, Usage, and Future Plans
The x86isa library, incorporated in the ACL2 community books project,
provides a formal model of the x86 instruction-set architecture and supports
reasoning about x86 machine-code programs. However, analyzing x86 programs can
be daunting -- even for those familiar with program verification, in part due
to the complexity of the x86 ISA. Furthermore, the x86isa library is a large
framework, and using and/or contributing to it may not seem straightforward. We
present some typical ways of working with the x86isa library, and describe some
of its salient features that can make the analysis of x86 machine-code programs
less arduous. We also discuss some capabilities that are currently missing from
these books -- we hope that this will encourage the community to get involved
in this project.Comment: In Proceedings ACL2Workshop 2017, arXiv:1705.0076
Adding 32-bit Mode to the ACL2 Model of the x86 ISA
The ACL2 model of the x86 Instruction Set Architecture was built for the
64-bit mode of operation of the processor. This paper reports on our work to
extend the model with support for 32-bit mode, recounting the salient aspects
of this activity and identifying the ones that required the most work.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
Hardware-Software Contracts for Secure Speculation
Since the discovery of Spectre, a large number of hardware mechanisms for
secure speculation has been proposed. Intuitively, more defensive mechanisms
are less efficient but can securely execute a larger class of programs, while
more permissive mechanisms may offer more performance but require more
defensive programming. Unfortunately, there are no hardware-software contracts
that would turn this intuition into a basis for principled co-design. In this
paper, we put forward a framework for specifying such contracts, and we
demonstrate its expressiveness and flexibility. On the hardware side, we use
the framework to provide the first formalization and comparison of the security
guarantees provided by a representative class of mechanisms for secure
speculation. On the software side, we use the framework to characterize program
properties that guarantee secure co-design in two scenarios traditionally
investigated in isolation: (1) ensuring that a benign program does not leak
information while computing on confidential data, and (2) ensuring that a
potentially malicious program cannot read outside of its designated sandbox.
Finally, we show how the properties corresponding to both scenarios can be
checked based on existing tools for software verification, and we use them to
validate our findings on executable code.Comment: Camera ready version that will appear in the proceedings of the 42nd
IEEE Symposium on Security and Privacy (IEEE S&P 2021). A technical report
containing a full formalization and proofs of all results is available at
arXiv:2006.03841v
SPECTECTOR: Principled Detection of Speculative Information Flows
Since the advent of SPECTRE, a number of countermeasures have been proposed
and deployed. Rigorously reasoning about their effectiveness, however, requires
a well-defined notion of security against speculative execution attacks, which
has been missing until now. In this paper (1) we put forward speculative
non-interference, the first semantic notion of security against speculative
execution attacks, and (2) we develop SPECTECTOR, an algorithm based on
symbolic execution to automatically prove speculative non-interference, or to
detect violations. We implement SPECTECTOR in a tool, which we use to detect
subtle leaks and optimizations opportunities in the way major compilers place
SPECTRE countermeasures. A scalability analysis indicates that checking
speculative non-interference does not exhibit fundamental bottlenecks beyond
those inherited by symbolic execution.Comment: 40 pages, technical report with proofs. To appear at IEEE Symposium
on Security and Privacy, 202